Set safe content security policy for SVG files
The com.glide.csp.self_script_src_svg property adds the script-src none directive to the HTTP Content-Security-Policy header when Scalable Vector Graphics (SVGs) are accessed through the Translation Memory Index (IIX) file extension.
The com.glide.csp.self_script_src_svg system property adds "script-src none" to the Content-Security-Policy header when SVGs are accessed via the ".iix" file extension, which prevents the exploitation of stored XSS from crafted file attachments stored within the instance.
Ensure that the property com.glide.csp.self_script_src_svg is set to true.
More information
| Attribute | Description |
|---|---|
| Configuration name | com.glide.csp.self_script_src_svg |
| Configuration type | System Properties (/sys_properties_list.do) |
| Data type | Boolean |
| Recommended value | true |
| Default value | <none> |
| Fallback value | false |
| Category | Validation, sanitization, and encoding |
| Security risk |
|
| Dependencies and prerequisites | None |
| Functional impact | This property prevents scalable vector graphics (SVG) files from accessing external scripts. |